[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UDP DoS mitigation?

Subject: UDP DoS mitigation?
From: ernst at easystreet.com (Rick Ernst)
Date: Fri, 12 Dec 2008 10:15:16 -0800 (PST)

We've had an increasing rate of DoS attacks that spew tens-of-thousands of
small UDP packets to a destination on our network.  We are getting roughly
2x our entire normal pps across all providers through one interface, or
about 4x normal through the individual interface.  The Cisco
7206VXR/NPE-G1 CPU melts (>95% load vs 15% average, 20% normal peak) when
this hits.

I'm using CEF and ip-route-cache flow on the outside interface.  Unicast
RPF is also enabled on the interface.  Unicast RPF in conjunction with a
BGP black-hole generator handles TCP attacks fairly well.

Two questions:
- Are there any knobs I should be turning in the Cisco config to help with
mitigate this?
- Are there any platforms that deal with high PPS/small packet more
gracefully?

We are looking at a network refresh and aren't locked into Cisco as a
vendor (although our current IP network consists entirely of Cisco gear). 
Our current aggregate (all providers, in- plus out-bound) bandwidth is
~500Mbs, but projected growth is 1Gbs within the year.

Thanks,
Rick

Follow-Ups:
- UDP DoS mitigation?
  - From: rdobbins at cisco.com (Roland Dobbins)
- UDP DoS mitigation?
  - From: dkotlerewsky at oversee.net (David Kotlerewsky)
- UDP DoS mitigation?
  - From: mhuff at ox.com (Matthew Huff)
- UDP DoS mitigation?
  - From: ernst at easystreet.com (Rick Ernst)
- UDP DoS mitigation?
  - From: fw at deneb.enyo.de (Florian Weimer)

Prev by Date: Weekly Routing Table Report
Next by Date: UDP DoS mitigation?
Previous by thread: [NANOG-announce] NANOG 45 Agenda Posted
Next by thread: UDP DoS mitigation?
Index(es):
- Date
- Thread